Contributors

Introduction

What is TOTP?

Having 2 Factor Authentication on all your accounts is a good way to keep your data more secure. With 2FA logins, not only is a username and password needed, but also a one-time-use code. There's a few different ways to get that code, such as by email, phone or SMS. But my favorite way is to do it is via a 'Google Authenticator' time-based OTP (one time password), also known as a TOTP.

Using an app on your phone like Authy or Authenticator, you set up a secret given to you by the service, then every 30 seconds, a new code is generated for you. What's extra nice is that the Google Authenticator protocol is supported by just about every service and phone/tablet

So What's The Problem?

I don't own a phone! So I have to ask Mr. Ladyada for an authenticator code. Or I can use my tablet, but it's not always at my desk. And I don't want to buy a phone just for using 2FA!

A Solution!

Luckily for us, the Google Authenticator protocol is really simple - You just need to be able to know the current time, and run a SHA1 hash.

I decided to build a simple device that all it does is generate TOTP's for me, using CircuitPython - my favorite programming language! It uses a Feather ESP8266 which has WiFi so it can connect to NTP to get the current time on startup, and a Feather OLED to display text nice and clearly.

Every time I need a new code, I just click the reset button and within 2 seconds I've got my 3 most common TOTP's on hand (yes its that fast!)

FAQ

THIS IS NOT A QUESTION MORE OF A COMMENT. YOU ARE PROGRAMMING THE TOTP SECRET INTO THE FLASH OF THE MICROCONTROLLER AND ITS NOT ENCRYPTED OR PROTECTED AT ALL ANYONE COULD BREAK INTO YOUR APARTMENT, GO TO YOUR BEDROOM, LOOK ON YOUR DESK, FIND THIS AND THEN CONNECT IT UP TO THEIR HACKER LAPTOP TO GRAB YOUR SECRET KEY THEN IF THEY HAD YOUR USERNAME AND PASSWORD THEY WOULD BE ABLE TO LOG IN AS YOU AND THIS IS REALLY INSECURE ITS SO IRRESPONSIBLE TO CONSIDER PUBLISHING A PROJECT LIKE THIS BY THE WAY DID YOU SEE THAT SNOWDEN APP? MAYBE YOU CAN RUN THAT ON A PHONE SO YOU CAN WATCH YOUR DESK REMOTELY AND MAKE SURE NOBODY BROKE IN TO STEAL YOUR FEATHER? OH WAIT YOU JUST SAID YOU DON'T HAVE A PHONE. OK I DONT KNOW WHAT MY QUESTION IS

Flash the latest version of CircuitPython (you'll need v 2.2 or higher) and continue to the next step!

Installing and using ampy

We're using the ESP8266 Feather which means it has lots of memory and Internet capability. We use the Internet part to get the current time. However, this Feather is not as easy to use as the SAMD series, as it does not show up as a disk drive!

Set Up Tokens

You'll also need to get 2 factor "authenticator tokens/secrets". Each site is a little different about how it does this.

For example, when you set up GMail for 2FA it will show you a QR code like this:

This is not the real token from my gmail

Which is great for phones. For us, we need the base32-encoded token. Click the Can't Scan It? link or otherwise request the text token. You'll get a page like this

This is not the real token from my gmail

That string of letters and numbers may be uppercase or lower case, it may also be 16 digits or 24 or 32 or some other qty. It doesn't matter! Grab that string, and remove the spaces so its one long string like "ra4ndd2utltotseol564z3jijj5jo677" Note that the number 0 and number 1 never appear so anything that looks like an O, l or an I is a letter.

Now edit this section of the code, you can display up to 3 accounts on a Feather OLED. If you pad the name with spaces the numbers will be right-justified but its not important, I'm just picky

If you want to test the setup first, you can keep the Discord entry which is the "PyOTP" example token. Then scan this with your phone in Authy or Google Authenticator

Test It Out!

OK once you've set everything up lets test!

Run the program directly on the Feather with OLED attached using ampy --port portname run main.py

You'll see it connect to your local network, get the time via NTP, then calculate and display OTP codes both on the OLED and on the serial port (you'll need to wait till the program is done to see the serial output)

Check against your phone to make sure the codes are correct. Once you're satisfied, tweak the two lines to change the behavior

OUT OF STOCK NOTIFICATION

YOUR NAME

YOUR EMAIL

You have been successfully subscribed to the Notification List for this product and will therefore receive an e-mail from us when it is back in stock!

For security reasons, an e-mail has been sent to you acknowledging your subscription. Please remember that this subscription will not result in you receiving any e-mail from us about anything other than the restocking of this item.

If, for any reason, you would like to unsubscribe from the Notification List for this product you will find details of how to do so in the e-mail that has just been sent to you!